/*
* This is a variant of the Needham-Schroeder Symmetric Key Protocol,
* using message tags rather than nonce arithmetic. The protocol allows
* the server S to generate a session key Kab for use by A and B.
* The protocol (once we add message tags) is:
*
* A -> S : A, B, Na
* S -> A : { msg2(Na, B, Kab, { msg3(Kab, A) }Kbs) }Kas
* A -> B : { msg3(Kab, A) }Kbs
* B -> A : { msg4(Nb) }Kab
* A -> B : { msg5(Nb) }Kab
*
* This protocol is flawed if one takes into account the possibility
* of key compromise (see for example Clark and Jacob, 1997):
* Message 3 is vulnerable to replay. As a result, an attacker
* can impersonate A and trick B into accepting a compromised key.
*
* On the other hand, under the idealistic assumption that keys can't
* be compromised, this protocol is safe.
*
* Whether this protocol type-checks, depends on the how we write
* the correspondence specifications.
*
* If we require the correspondence "providing Kab to B for A" to end
* before message 4, then the protocol does not type-check. Ending the
* correspondence at this point guarantees that the key for encrypting
* and decrypting messages 4 and 5 is new.
*
* On the other hand, if we require the correspondence to end after
* message 5, then the protocol type-checks. However, in this case, Kab is
* used to encrypt and decrypt messages 4 and 5, although at this point our
* specifications do not guarantee that Kab is new.
*
* A fix for the key-compromise attack, as proposed by Needham and Schroeder,
* is presented in ns-modified.cry.
*
* Alan Jeffrey, v0.0.2 2001/02/25
* Christian Haack, modified for v.1.1.0 2004/09/13
*/

/*
* Include the standard prelude
*/

importprelude;
public providing : Word;
public session : Word;
public key : Word;
public to : Word;
public for : Word;

/*
* We assume that two principals are able to securely lookup their shared
* longterm keys. We formally express this by assuming the existence
* of a secure lookup function of the following dependent function type:
*/